Posted
by
kdawson
on Tuesday February 23, 2010 @08:36PM
from the swipe-and-get-swiped dept.

tugfoigel writes "A wave of recent bank-card skimming incidents demonstrate how sophisticated the scam has become. Criminals hid bank card-skimming devices inside gas pumps — in at least one case, even completely replacing the front panel of a pump — in a recent wave of attacks that demonstrate a more sophisticated, insidious method of stealing money from unsuspecting victims filling up their gas tanks. Some 180 gas stations in Utah, from Salt Lake City to Provo, were reportedly found with these skimming devices sitting inside the gas pumps. The scam was first discovered when a California bank's fraud department discovered that multiple bank card victims reporting problems had all used the same gas pump at a 7-Eleven store in Utah."

I remember running into something like this a long time ago when I was in New York City. There was this small piece of metal in the card slot. Needless to say I didn't insert my debit card in to find out what it was.

Or use a bike. Better for you and the environment too at the same time.

Okay, that's one problem avoided. So then how would one protect themselves from a skimmer on any other type of card reader, like at an ATM, vending machine, or a gas pump since no, you can't always just bike everywhere.

Or use a bike. Better for you and the environment too at the same time.

Okay, that's one problem avoided. So then how would one protect themselves from a skimmer on any other type of card reader, like at an ATM, vending machine, or a gas pump since no, you can't always just bike everywhere.

Ok, on a serious note about the problem. How to figure out a solution to this problem. Issue is, there isn't a simple answer.

Some might say we just need more education on the subject. But lets be honest. That won't work, never has, never will. People have been told that about everything from health (eat less processed/junk food, exercise more, ect... and as there are more people obese today then ever shows how well that works), to drugs (I've heard of the problems with things like crack since the 80's when I was born, and it's still being used today), to the basics of never share passwords but these things still happen.

Other things need to be taken into consideration. Why are these happening? People are need money more then before with a lack of jobs due to the recession. Also the ease of availability of these problems (these machines are showing up in more and more places). Also a lack of security in these newer forms of payment that are shown to be insecure ( http://tv.boingboing.net/2008/03/19/how-to-hack-an-rfide.html [boingboing.net] ) yet still forced upon the consumer due to the millions funded into these technologies and the fear of admitting these losses to shareholders.

Many of these company's and people are no doubt hoping things like DMCA laws and their inclusion into global laws like the ACTA will help get rid of the problems since it will make the technology illegal (these break digital security locks). Thing is, again it won't work. Drug growers have shown that when these problems come about, people will just go underground and look for other ways to do this. This was shown during the Regan years of the war against drugs. As time passed, it was harder to smuggle weed from places like Afghanistan, so people started shipping hash. Same type of drug but smaller and easier to ship. After that came hash oil since it was again smaller and the law started to figure out about hash. When hash oil was found out, people started to look into hydroponics (a new growing method for plants of ANY kind) and found they could grow a better crop (better watered, feed, controlled, ect...) in the country bypassing the issue of smuggling it in.And just like pot dealers/growers showed that the law means little in the end to get what they want, same will happen with this and as with every crime in history.

Say American next time. We won't even make fun of you for getting your ass kicked a couple hundred years ago by a bunch of degenerates with pitchforks and your uptight neighbors that have something against shaving.

Not everyone lives in $big_local_city for a variety of reasons. (crowded conditions, crime, expense, etc.) If you live out in the sticks, (essential if you want to own a plot of land that is somewhat bigger than what your house actually sits on) public transportation or biking is not a serious option. Plus, who the hell wants to bike to work and get sweaty in the summer and freeze during the winter?

Some of us invest significant thought and effort into finding the right home in the right area, maintaining it well, making improvements (e.g. replace the Linoleum with tile one year, build a larger deck the next, plant trees in the yard after that), getting to know the neighbors, etc. Having pride in and enjoying a home can easily outweigh an hour or more commute, and giving that up can be a very big deal for some people.

I don't think that there was anyone talking about forcing anyone to do anything. In fact no one forced you to argue via reductio ad absurdum, but you did it, anyway. Isn't freedom nice?:)

More seriously, most people could commute less. Many people could do without a computer (or ten). In fact, that's common in Asia, where gamers don't want to waste a bunch of money upgrading constantly. The game room absorbs the cost over many clients. More people could live in apartments or planned housing, which speaks di

I remember running into something like this a long time ago when I was in New York City. There was this small piece of metal in the card slot. Needless to say I didn't insert my debit card in to find out what it was.

How do I protect myself from a skimmer inside a gas pump?

Step 1: Assume they're compromised.
Step 2: Pull out the concealed Glock that every freedom loving American carries around and fire wildly into them.
Step 3: If the machine is rendered out of order, move onto the next machine and go to Step 1. If someone tries to stop you, go to Step 1.

But in all seriousness I think you could pick up a "preferred customer card" at some grocery store and carry that around with you. When you approach the pump, put that card in first. A compromised machine might feel weird and will most likely not respond to you inserting a card. An uncompromised machine will swipe easily and also think for a second and then ask you to reswipe your card. While not flawless, this is the best thing I can think of aside from prepaying at the attendant in the store or something really crazy like demanding to borrow a passerby's card to see if it works before you put yours in. It's also probably your best option if you buy gas after hours like I do. The unfortunate side effect is it wastes time and makes it look like you're flipping through maxed/stolen cards.

No, pretty much all a card skimmer does is record the data on the magnetic stripe.
They don't care what the data is or how the machine uses that data.
A typical mag card reader that you can legally buy off the shelf will happily record the info on your drivers license or preferred customer card every bit as easily as on your credit card. Mag stripe cards have the data in plain ASCII text, credit cards included.

If you've ever written a program that reads text data off a serial port and saves that data to a

Beyond that, the recording software will most likely have a filter for credit cards. Ie, 4xxx..., 5xxxx..., 6xxxx..., etc. It's been a while since I spent any time with people into that sort of thing, but each card type (Visa, MasterCard, Amex, etc) has their own sequence. The first digit denotes card type. The first sequence of three or four digits denotes the issuing bank.

As others have said, a mag stripe reader will read the card. The only hang up is finding a reader with the right number of tracks.

Good analysis. The skimmers in question were built by someone who knows their way around these pumps. They evidently replaced the entire panel. The device would read the card data, and record the typed in PIN. It then held the data until the paired Bluetooth receiver came in range and then would dump it's data.

No need to sit in proximity to the compromised pump. I haven't seen anything on the storage capacity but I dare say who ever was doing this just downloaded when they filled their tank up, or when they'd stop by for morning coffee.

The way they were able to make the switch is all pumps nationwide are made by only two manufacturers, and those manufacturers each have A key design to open their pumps. Two keys can open every modern gas pump in the country.

All the perps needed to do was get access to one machine of the model used at the targeted 7-11. Rewire the front panel from that one. Make the swap and rewire the swapped out panel for the next pump they want to wire.

Contrary to TFA, most reports are that only one or two stations were found to be compromised, but given time that number could have quickly grown.

Up above I linked to an article about a Gas chain that heard of this potential scam, identified the weakness in the key system and re-keyed all their pumps with each store having a unique key pattern for its pumps. Not perfect, but makes the inside part of such an inside job have to be an employee of the store the pump is located at.

If you have a pair of sunglasses and a jacket, you should be good to go.

1: Get a $10-$25 cash card from your credit card company
2: Slide it through the card reader
3: Light up a cigarette
4: Spray gas all over the pump
5: Slowly walk away, flicking the smouldering cigarette behind you, onto the pump. Speak a one-liner about gas, pumps, explosions, fire, smoking, or credit card fraud. It is very important NOT to laugh at your own joke.
6: No matter how hot your back suddenly gets, keep walking slowly and DON'T turn around, (glass or shrapnel is going to hit you, it's better to take it in the back than in the face.)
7: Never worry about gas pump skimmers for the rest of your life.

If you're going to pay with a credit card at the pump there's no way to completely eliminate the problem. Paying inside should avoid this. If you're going to pay at the pump, using a debit card as a credit card (ie not putting in your pin) will give you greater protection since they won't be able to copy your card and use it at an ATM (the way these cards are being used so far).

After getting bit in the butt twice, I opened a second account with an attached debit card. I transfer a couple of hundred dollars in there every pay check and use it for gas, groceries and online purchases. If the account gets compromised I am only temporarily out whatever is in there.

FWIW, the first time my account was compromised Wells Fargo contacted me. The second time I recognized the fraud and contacted them. Both times I had the money back in my account in less than three days. Both times it wa

How can you protect yourself? It's not easy anymore. You now see that a compromised machine doesn't necessarily have semi-obvious modifications you can see from outside. I think people will have to start using temporary credit cards with low limits more often.

I don't know if it was intentional but this seems to have been predicted in Batman of the Future - the characters carry around a large number of "creds" and each one seems to have a limite

I just assume that half of all the comments on here are the result of millions of monkeys in front of million of keyboards, with some sort of quick check to filter out most of the comments without real words in them.

It's not new and the scam was actually used here at ATMs as well, not only putting an additional reader on top of the old one but also installing a video cam or a punch-through keypad on the ATM that recorded the keystrokes of your pin number. I was working for the security department of a bank when this was en vogue, and I still have a few of the confiscated cams and pads to prove it (strangely, nobody wanted them back...).

The "new" part is where these swipers don't even look suspicious anymore. These "old

I'm a gas pump mechanic, and I'm shocked it's not way more prevalent. A handful of keys anyone can buy from a petroleum maintenance supply store without any questions, will open every gas pump on the continent. And most employees at gas stations don't watch their videos continuously, some don't even have video surveillance. The parts inside are easy to swap, as they are very similar to the way a PC is set up, with ribbon cables, USB, etc. I found myself staring at the card reading gear and be amazed at

And yeah maybe it is an inside job. Paying clerks $6.00 an hour to work from midnight to 8:00AM does not buy a lot of loyalty. Where do you think most of the pilfered credit card numbers really come from? Try paying people a living wage and this won't happen. Employees who have to live with their mother are not adverse to listening to some ones criminal scheme, which to them sounds like justice rendered.

That's a good point, and obviously the answer is 'no'. I recently had my CC # stolen by a pizza guy. I had just finished something like a 15-hour shift at work, I was tired, and I fell for a scam that, in retrospect, I should have caught on to immediately. Despite the fact that I ordered and paid for the pizza ahead of time, on the web, he told me that he "needed an imprint" of the card. Then he starts making the imprint with... his key? And then (and this is really where I kick myself), I take the original receipt and he goes, "Oh, nope, I need that one" and swaps with me. Of course, the carbon copy (which I am supposed to take but which he took) has the nicest key-imprint on it.

About 45 minutes after this happened, my CC company calls me to check on purchases that were made not five minutes ago at a "discount clothing store in the Bronx" (I live in Boston). Now, I am certain that this is the source of the theft, because prior to that, I had not used the card in several months.

My understanding is that the banks themselves don't absorb this loss because they pass it on to the merchant-- the merchant absorbs the loss. But I have to wonder whether banks (and credit card users) would be better (and cheaper) served by simply fixing these security problems now. Those fancy fraud-detection units can't be cheap. Our existing CC/ATM system is woefully anachronistic.

I briefly asked myself, if this guy, who was Hispanic, and given his choice of profession, probably poor, deserved some sympathy when it came to CC theft, and I quickly decided: no. There are many, many other people who are in exactly the same position, or worse, and they choose to do the right thing regardless. CC thieves are thieves. They don't point a gun at you, but the end result is the same thing.

Despite the fact that I ordered and paid for the pizza ahead of time, on the web, he told me that he "needed an imprint" of the card. Then he starts making the imprint with... his key? And then (and this is really where I kick myself), I take the original receipt and he goes, "Oh, nope, I need that one" and swaps with me. Of course, the carbon copy (which I am supposed to take but which he took) has the nicest key-imprint on it.

First of all, as somebody else already replied to, card imprints from pizza deliveries are the norm. It's not a scam, it's something they do.

About 45 minutes after this happened, my CC company calls me to check on purchases that were made not five minutes ago at a "discount clothing store in the Bronx" (I live in Boston). Now, I am certain that this is the source of the theft, because prior to that, I had not used the card in several months.

Then it can't possibly be the dude. 45-minutes is nowhere near enough time. You think if the pizza delivery guy is running a scam getting credit card imprints that he's just going to get ONE and then run off and start using it? And at a store? Do you think he just took your receipt and handed it over to the cashier when she told him how much the purchase was?

The actual imprinting scams involving scanning the magnetic strip, and making cards that people can use by actually scanning it at stores. I had my debit card skimmed (and so did a bunch of my friends, at the same time). The police eventually tracked it down to a waiter at a Ruby Tuesday restaurant. Apparently he would scan customers cards when he took our checks. It took months from the time he did so for the first purchases to occur, because the people doing the skimming are rarely the same people using the cards. They sell the information, other people make the cards, other people use them.

I briefly asked myself, if this guy, who was Hispanic, and given his choice of profession, probably poor, deserved some sympathy when it came to CC theft, and I quickly decided: no.

I'm going to assume you're not a racist moron, but I am wondering what the fuck him being Hispanic has anything at all with either being a thief or with a reason why a thief would deserve sympathy. Why did you even bother mentioning that factoid?

Are you going to pay for the billions of dollars it costs to have our military constantly deployed to the middle east?

There are about 115,000 gas stations. Let's say two clerks, open an average of 20 hours, gives m about 1.7 billion man hours per year. So, for about a month of expenses in Iraq, we could bump their pay from $6 to $13.

And if you're worried about security, we could triple the size of the TSA, monitor every parcel of incoming cargo, and follow the Israeli's policy of personally interviewing eve

You gonna pay extra for gas from a station that pays its clerks "living wage"?

Why not? We're already paying extra so oil company executives can enjoy salaries and bonuses in excess of what would be a living wage for some entire countries, which is itself small potatoes compared to the enormous sums of tax money that go towards using the military to run errands for them in the middle east.

>>Where do you think most of the pilfered credit card numbers really come from?

I had a friend (and no, it really was a friend, not me) that was involved in a ring of guys that did that sort of stuff out of Northridge. They'd take lists of CC numbers, pair them with PINs, reprogram some new cards using mag card writers, and then go to some place around 11:30, pull out all the money they could, wait for midnight to flip around, pull out all the money they could, split the money amongst them all, and bailed.

They'd use card readers and compromised clerks to get the CC numbers, and shoulder surfing (I imagine) to get the PINs. They'd move from gas station to gas station randomly in the LA area.

This got my credit card over a year ago in Saskatchewan, Canada. However, my card was skimmed at a do-it-yourself ticket-terminal at the local movie theatre.

It turned out it was a very large network of people who came together and organized the attack and paid people all over the country to do this and sent the info back to 'headquarters' in Ontario Canada.

They racked up over $600 in charges and it all appeared to have been used at Gas stations in Toronto / Missisaga in Ontario.

They put these things on any 'do-it-yourself' terminal they could find. This included pay-at-the-pump gas stations, ATM's, and any kiosk that could read a debit/credit card.

Luckily Mastercard covers things like this so it was much easier to report and reverse than a few friends of mine who had their debit cards skimmed. They had a much harder process to deal with.

The move to "Chip" cards ([url]http://en.wikipedia.org/wiki/Chip_card[/url]) are rapidly increasing these days. I know my local credit union is fully switched over, although maybe half of the retailers in town actually support them.

Let's define this scenario clearly. You put your money in a bank. The bank then gives you access to the bank's services. It's not access to "your" money so much as it is access to a money exchange service. (Think of an ATM and similar services as a vending machine that serves up cash and other things in exchange for the money in your bank account.)

Now there are the criminal parties. These parties are the ones who come in and exploit weaknesses in the system to get cash and other things. In the course of exploiting these weaknesses, they use the credentials of other people to extract the cash and other things from the actual victims.

Who are the actual victims? They are the banks themselves and they are the sellers of other things.

When the people whose credentials were used in the commission of a crime against the banks and merchants are charged with responsibility for the criminal acts, it is the banks and merchants who are victimizing the people... their customers! The criminal performed their crimes against the banks and merchants. It is the banks and merchants who are passing the burden along to the innocent individuals who quite literally have no way to protect or control the situation. It is the banks and merchants who have the means to control and protect.

Every time I hear "identity theft" and other referrals of uninvolved parties as victims of a crime, the lie bothers me. These banks and merchants have created a system that is weak and exploitable that uses its customers as a buffer and even a shield against those weaknesses. You cannot protect your "secret information" so long as it must be shared in order to use it. And once that information is out there and used, the banks and merchants take money from your account instead of theirs. The original victims are, in turn, victimizing the innocent by declaring that the innocents are victims of the original crime.

I am sure there are plenty of people who disagree with my sentiments on the matter. But if you do, point out the flaw in the logic I presented.

Actually, my wife was a victim of this type of scam recently. They systematically cleaned our entire checking account out.
I, like you, felt that the bank's money was stolen, not ours. I put my money in the bank, and had not withdrawn it, so this was essentially a remote bank robbery in my opinion.
Where it gets interesting is this is EXACTLY how the bank treated it. They immediately refunded all money to the account, and then went after the fraud on the other end of the transaction.
Not sure if all banks treat you this way, but B of A did us right. (And they are usually listed as the most evil of providers, so I tend to think they are not unique).
I think identity theft was a real problem 10 years ago before it was understood, but now the banks realize it is not fraud by the victim in most cases and deal with it fairly.

Stories like this are scarier these days with the advent of debit cards. With credit card fraud, if it turns out that the issuer decides they want to collect the money from you then there are at least a couple roadblocks in the way. Once it's gone from the checking account though, all bets are off. And it really boils down to how much you're worth to the bank as a customer.

Personally, I don't like the odds and that's why I store my bank issued ATM/Debit card in very tiny pieces down at the landfill.

You can often get the debit functionality of those combo atm/debit cards disabled if you ask the issuing bank.

Also, debit cards are even worse now than credit cards with the whole mandatory "overdraft protection" scam. All banks require "overdraft protection" on their debit cards (but not necessarily credit unions). They call it a "feature" but it is just a way to screw over people who think having a debit card is a way to enforce fiscal responsibility on themselves as in, "I can't spend it if I don't hav

Yeah, the Fed prounounced that mandatory overdraft covers was verboten and that it had to be opt-in, but it isn't 100% - it doesn't apply to things like checks or scheduled payments and the change doesn't go into effect until July.

Obviously you have to use debit at an ATM, but at gas stations i use credit, even with my debit card, because once they have your pin they can get cash out of your account and not just do a credit card charge. The crooks would much rather have the greenbacks than having to buy crap with your stolen card and fence it.

The bank is also far more likely to go to bat for you over a fraudulent credit card charge than a fraudulent debit card transaction. The reason, of course, is that in the former case, its the bank's money on the line (until you pay them), but in the latter case, its your money on the line.

The bank is also far more likely to go to bat for you over a fraudulent credit card charge than a fraudulent debit card transaction. The reason, of course, is that in the former case, its the bank's money on the line (until you pay them), but in the latter case, its your money on the line.

Actually... the bank is most likely to go to bat for you over credit card charges because the consumer protections on credit cards are vastly stronger than the protections on debit cards.

I've never used a debit card for just that reason. You have a problem with your credit card and it's just the one card that might get frozen. You have a problem with your debit card and your bank account might get locked down, which usually leads to a cascading array of problems for most people.

This is but one reason why I use only cash to buy gas. The other is that greedy operators like ARCO will skim $0.45 off the top of every debit card transaction. I happened to be an early victim of debit card reproduction over a decade ago, before these current devices even existed; back then it apparently required collusion with a station employee to redirect outside security cameras and collect register data. The result was the same: my Versatel card was duplicated without ever leaving my possession, an

Any gas station you go into now (unless its in podunk la-la land) has a crazy amount of security cameras all over out there monitoring pumps and to catch fuel pumping thieves. I would suppose the reason the high number of pumps that do get hi-jacked are places that aren't open 24-hours or have a douchebag clerk who "pushes the blinky light" to authorize fuel and doesn't notice someone taking apart the pump next to it.

I remember when skimming waiters or waitresses with hand-held swipe devices was "the scam

Buy a commercial van, outfit it with signage "Bobs fuel pump repair services" or some such. Carry the right tools. Make the attendant sign a receipt for the work. Turn up, install your stuff and go. Fake plates obviously.

As a gas pump mechanic, I can say that most of those security features are just security theatre. Anyone with even 1 weeks apprentice knowledge of gas pumps can probably get into most pumps without notice, after hours or not.

Also, a safety vest, hard hat, clip board, fancy business card, and an attitude will get you everywhere. Hell you could probably get them to turn off all their security cameras for "testing" purposes too LOL.

It happened to me in Malibu. Bastards made some kind of copy of my debit card and spent $250 before my bank shut them down. Fortunately, my bank (wells fargo) restored the $250 to my bank account. I bet the gas stations where the fake card was used got stuck with the bill. Serves them right for not guaranteeing the financial security of their customers. They should keep an eye on their pumps.

I have to say, despite not being very pleased in other ways with Wells Fargo, that they are on top of the game with fraud as far as I can see. I've had five separate issues with my WF credit card in the last year, all of which were handled swiftly (once before I even reported it).

What I really want is a card that I can use for on-line purchases where I either transfer the money for the transaction in advance, or authorize it up to two hours later or it's canceled. I've looked (not very seriously) for two ye

I've been the victim of skimming twice. I love paying at the pump but it's getting out of hand. Even with a credit card it's the inconvenience of filing a dispute, canceling the card, etc. This time they laundered the money by buying five $200 wal mart gift cards with a cloned card.

Here locally they say it's been the Fast Trip and AM PM stations that have been hit. The two with the lowest prices of course.

Equip all cards with a simple chip. This chip contains an encryption algorithim (something strong enough to not be easily cracked by running brute force on data packets). It would also contain a secret key unique to your account. And it should not give the key itself out.

Then the reader sends a formatted packet containing the PIN (if entered), the options (credit vs debit etc) and the amount of the purchase. The card encrypts this data and hands the reader a data packet saying "this is a chip-and-pin transaction" and containing the encrypted data. The reader sends this through the bank networks to the issuing bank.

The issuing bank has another copy of the secret key which it uses to decrypt the data packet and validate that the transaction is possible (i.e. enough money there etc) and returns a "yes, proceed" result to the card reader. The bank would ONLY record the transaction as a chip-and-pin if it was sent through this process (thus preventing dodgy or compromised swipe-only terminals reading the mag stripe and running up the transaction like a mag stripe transaction but telling the bank its chip-and-pin)

The problem with chip-and-pin is that the implementation is broken because it relies on the security of the card reader. My method does not rely on the security of the card reader and is not vulnerable to hacked card readers (wasnt there a recent story on here about chip-and-pin being broken?)

Designed right, its possible to even protect the account number so that only the smart card and the bank can see it (and since you never present enough of the mag strip to the mag strip reader, it cant read data from t

Would redeveloping chip & pin to solve the known issues and rolling out new terminals cost significantly more than the anticipated losses through fraudulent chip & pin transactions? Because as far as the bank is concerned, if the losses they have to eat are £100,000 per annum but the extra cost is in the millions, it'll be a long time before they can justify the investment.

Problem with a new solution is dealing with all the legacy hardware out there for processing transactions. Retailers have to buy new readers that would support both old and new cards, or buy new readers and keep the old ones in service. Retailers profits are hurt.

Card Issuers could force the change over by only processing transactions with the new cards, but if retailers push back and not install new readers the Card Issuers profits take a hit.

We oldsters in the 1970's used to skim gas out of the gas tank. Some of the more ballsier-types would steal whole gas tankers. The fact that you can skim debit cards at the gas pump without spilling gas on yourself is a great technological improvement since you don't have to resell the gas.